226729 - certificate warning bypass

Status: RESOLVED WORKSFORME

(Core Graveyard :: Security: UI, defect)

Description

[Mike Coppins]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

For a bit of history on this one, goto bug 226723, it's probably very related.

On www.house.co.uk (and going into the 'register' link) with moz 1.4.1 and 1.5
releases, I get a certificate warning saying issuer is unknown.

If I click 'cancel', then goto an SSL site that I know usually works and
certificate looks ok (eg. www.halifax-online.co.uk , goes straight into SSL),
then go back to www.house.co.uk, I don't get the certificate warning.

I'm not sure if this is 100% reproducible, because the certificate warning
prompt seems to be handled very iffily, and I don't have the resources to
research into totally invalid certificates being accepted through this bypass
method, but I think it's serious enough to at least make the potential of it
being known even if I turn out to be wrong about it (or varying degrees of wrong).

The other problem in testing these SSL issues I think I've found is that I don't
have a reference browser which consistently does even near the right thing. 
Opera 7x gets very confused and crashes in the testing that I've done, and IE is
of no use whatsoever as it accepts the house.co.uk cert (Opera doesn't) without
question.


Reproducible: Sometimes

Steps to Reproduce:
1.
2.
3.

Comment 1

[Boris Zbarsky [:bzbarsky]]

.

Comment 2

[Kai Engert [:KaiE:]]

This sounds very much like the usual error made by many webmasters, they install
a certificate from Verisign, but not the intermediate certificate. This is a
mistake by the server operator.

I'm marking this as invalid, because Mozilla is behaving as defined, the
solution is to fix the web server installation at www.house.co.uk

Comment 3

[Mike Coppins]

Not to be intentionally a PITA, but I'm re-opening this bug.

It doesn't matter if the guy who admins house.co.uk has screwed up.  Mozilla
regarded that certificate as dodgy, but then if you click cancel, go to a
non-dodgy secure site, and back again, Mozilla no longer thinks it is dodgy.

Checking again now, Mozilla doesn't pop the error that it did before.  I haven't
been to that site in days.  My machine has been restarted a few times since
then, so no possibility that Mozilla still thinks it is the same session or
anything.

Comment 4

[Mike Coppins]

The software should accurately describe the issue it has encountered.  By all
visible evidence to the user, Mozilla thinks Verisign isn't a valid issuer of
certificates.  The user's conclusion is very likely to be that Mozilla is flawed
in that respect.

If the sysadmin who maintains house.co.uk in this situation is very likely to
have screwed up in the respect you're describing, then the error message should
reflect that.

Perhaps when you click 'examine certificate', instead of saying "issuer
unknown", elaborate, maybe along the lines that the sysadmin may have
incorrectly configured SSL on their server.  Maybe also elaborate further that
the website stands a good chance of still being pretty secure regarding encryption.

Comment 5

[Mike Coppins]

Ignore comment 4, wrong bug!

Damn...

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

A misconfigured server will cause failures and user confusion.  No matter what
error message is displayed, users will assume it is the fault of their own
software, and not of the server. (Server admins never make mistakes, do they?) 
The responsibility for preventing this confusion lies with the server admin,
who can avoid it simply by correctly configuring the server.

The house server is now apparently properly configured.  No error in mozilla
was actually discovered.  Resolving "WorksForMe".